If all you have is the email then analysis of the headers is a good start. This is not an uncommon situation, people often send email from unsecured wifi hotspots, public access computers etc. There's several avenues of investigation.

There's often a wealth of information in an email's headers. It can contain who the email is from, who it was addressed to, which IP address is came from and the route it took. I assume in this case the IP address was in the headers but the owner of said address claims no knowledge of the email being sent. It can get trickier here one but you can look to other headers for additional evidence.

Was the mail sent from a web mail account (gmail, yahoo!, hotmail) or from an email client like Outlook Express? If it came from an email client does the version number in the headers match that installed on a suspect's PC? If a webmail account was used can the provider give up and other IP addresses from which the account was accessed?

Do you believe that someone other than the owner used the wifi connection? Was encryption turned on and if so how likely is it that someone could have cracked the key? Are there any logs on the wireless access point which may provide additional info?

If I put on my "groucho glasese" http://www.fakecrap.com/products/groucho_glasses.html and go to a free wifi spot , change my mac address and set up a new email account on yahoo, see if you can find me! I have made so many death threats to Don already, lol. Just kidding !!!!!!!

But really, you have to know the difference if you are into security.

Last edited by Kev on Thu Sep 25, 2008 2:23 pm, edited 1 time in total.

jimbob wrote:If all you have is the email then analysis of the headers is a good start. This is not an uncommon situation, people often send email from unsecured wifi hotspots, public access computers etc. There's several avenues of investigation.

There's often a wealth of information in an email's headers. It can contain who the email is from, who it was addressed to, which IP address is came from and the route it took. I assume in this case the IP address was in the headers but the owner of said address claims no knowledge of the email being sent. It can get trickier here one but you can look to other headers for additional evidence.

Was the mail sent from a web mail account (gmail, yahoo!, hotmail) or from an email client like Outlook Express? If it came from an email client does the version number in the headers match that installed on a suspect's PC? If a webmail account was used can the provider give up and other IP addresses from which the account was accessed?

Do you believe that someone other than the owner used the wifi connection? Was encryption turned on and if so how likely is it that someone could have cracked the key? Are there any logs on the wireless access point which may provide additional info?

Those are just some thoughts.

Jimbob

Thanks very much.

1. it is sure that the owner did not send the email himself and also certain that it was not sent from his PC. The IP address is obviously his and thats how he could be locatd in the first instance.

2. The headings might not have revealed required clues as otherwise further progress would have been made.

3. so far, so called experts whose help was taken have not been able to come up with an answer.

It is not clear also how exactly a third party could have sent an email with the owner's IP address.

It is not clear also how exactly a third party could have sent an email with the owner's IP address.

The source address could have been forged

The email could have been sent from the computer on that IP address in question without the owners knowledge

An improperly secured wireless network could have been used

Inadequate physical access could let someone turn up and plug in a laptop

The mail could have been sent by the IP address' owner

The IP address could be running a proxy server or mail relay

Malware on the PC could allow remote access

There are others, but I wanted to illustrate how without any other evidence there are a lot of possibilities. If you only have the email headers as evidence you investigation will be limited. If the situation is serious enough the computer attached to the IP address from the email could be seized and examined for evidence.

Jimbob

Last edited by jimbob on Sat Sep 27, 2008 3:54 pm, edited 1 time in total.

It is not clear also how exactly a third party could have sent an email with the owner's IP address.

The source address could have been forged

The email could have been sent from the computer on that IP address in question without the owners knowledge

An improperly secured wireless network could have been used

Inadequate physical access could let someone turn up and plug in a laptop

The mail could have been sent by the IP address' owner

The IP address could be running a proxy server or mail relay

Malware on the PC could allow remote access

There are others, but I wanted to illustrate how without any other evidence there are a lot of possibilities. If you only have the email headers as evidence you investigation will be limited. If the situation is serious enough the computer[s] attached to the IP address from the email could be seized and examined for evidence.

Jimbob

all you say is true. the PC attached to the IP is clean.thats' why the investigation is floundering.

I don't believe there is a reliable way to determine from which PC this email was sent. MAC addresses can be forged, even if you manage to determine what it is. The IP address is obvious, and won't tell you anything.

One thing you can examine is the windows firewall logs. Windows boxes tend to broadcast a lot, and much of this traffic gets logged by the windows firewall. Any logging information available, whether on the firewall or the AP will help. Still, hackers usually aren't stupid enough to use real IPs or MAC addresses.

When we deal with cases like this one, we try to obtain access to the computer of the suspect. You can then do an analysis on the suspect's pc to find fragments of the sent email.

If you use POP3 to download messages from Yahoo, you can configure your email client to either remove the messages or leave a copy on the server. If you are viewing the messages through webmail, then they stay on the server unless deleted.

br945 wrote:issue is HOW TO ESTABLISH from which actual PC or which location and by whom was the hacking done whereby the email headers showed the IP address of the PC of tthe innocent wi-fi user.

You are never going to know. When people run their wireless unsecure or they use easy to get keys, this is what happens. They are inviting everyone to share their wireless connection. There are 5 bone heads on my block that run their wireless wide open. They best be glad I am an "ethical" hacker or I would be sniffing their username/passwords, credit card info and no telling what else.

Any info they might be able to find in the logs is most likely bogus info, e.g., MAC Address, Computer Name, etc. that joined the wireless network. It all boils down to if they believe the person that is saying "I didn't send the email".